Daycare Apps Are Dangerously Insecure | Electronic Frontier Foundation
Daycare Apps Are Dangerously Insecure
BY ALEXIS HANCOCKJUNE 21, 2022
baby in crib plays with spying toy blocks
ESPAÑOL
Last year, several parents at EFF enrolled kids into daycare and were instantly told to download an application for managing their children’s care. Daycare and preschool applications frequently include notifications of feedings, diaper changes, pictures, activities, and which guardian picked-up/dropped-off the child—potentially useful features for overcoming separation anxiety of newly enrolled children and their anxious parents. Working at a privacy-oriented organization as we do, we asked questions: Do we have to use these? Are they secure? The answer to the former, unfortunately, was “yes,” partly so that the schools could abide by health guidelines to avoid unnecessary in-person contact. But troublingly, the answer to the second was a resounding “no.”
As is the case with so many of these services, there are a few apps that are more popular than others. While we started with the one we were being asked to use, this prompted us to look closer at the entire industry.
"The (Mostly) Cold Shoulder"
These days, offering two-factor authentication (2FA), where two different methods are used to verify a user’s login, is fairly standard. EFF has frequently asserted that it is one of the easiest ways to increase your security. Therefore, it seemed like a basic first step for daycare apps.
In October 2021, we tried to reach out to one of the most popular daycare services, Brightwheel, about the lack of two-factor authentication on their mobile app. We searched around on the site for an email to report security concerns and issues, but we could not find one.
A few cold emails and a little networking later, we got a meeting. The conversation was productive and we were glad to hear that Brightwheel was rolling out 2FA for all admins and parents. In fact, the company’s announcement claimed they were the “1st partner to offer this level of security” in the industry—an interesting but also potentially worrisome claim.
Was it true? Apparently so. This prompted us to do more outreach to other popular daycare apps. In April 2022, we reached out to the VP of Engineering at another popular app, HiMama (no response). Next we emailed HiMama’s support email about 2FA, and received a prompt but unpromising response that our feature request would be sent to the product team for support. So we dug in further.
Digging Further—And a History of Cold Shoulders
Looking at a number of popular daycare and early education apps, we quickly found more issues than just the lack of 2FA. Through static and dynamic analysis of several apps, we uncovered not just security issues but privacy-compromising features as well. Issues like weak password policies, Facebook tracking, cleartext traffic enabled, and vectors for malicious apps to view sensitive data.
As a note on investigative tools and methodology: we used MobSF and apktool for static analysis of application code and mitmproxy, Frida, and adb (Android Debug Bridge) for dynamic analysis to capture network traffic and app behavior.
Initially, we had inferred that many of these services would be unaware of their issues, and we planned to disclose any vulnerabilities to each company. However, we discovered that not only were we not alone in wondering about the security of these apps, but that we weren’t alone in receiving little to no response from the companies.
In March 2022, a group of academic & security researchers from the AWARE7 agency, Institute for Internet Security, Max Planck Institute for Security and Privacy, and Ruhr University Bochum presented a paper to the PET (Privacy Enhancing Technologies) Symposium in Sydney, Australia. They described the lack of response their own disclosures met:
“Precisely because children's data is at stake and the response in the disclosure process was little (6 out of 42 vendors (±14%) responded to our disclosure), we hope our work will draw attention to this sensitive issue. Daycare center managers, daycare providers, and parents cannot analyze such apps themselves, but they have to help decide which app to introduce."
In fact, the researchers made vulnerability disclosures to many of the same applications we were researching in November 2021. Despite the knowledge that children’s data was at stake, security controls still hadn’t been pushed to the top of the agenda in this industry. Privacy issues remained as well. For example, The Tadpoles Android app (v12.1.5) sends event-based app activity to Facebook's Graph API. As well as very extensive device information to Branch.io.
BY ALEXIS HANCOCKJUNE 21, 2022
baby in crib plays with spying toy blocks
ESPAÑOL
Last year, several parents at EFF enrolled kids into daycare and were instantly told to download an application for managing their children’s care. Daycare and preschool applications frequently include notifications of feedings, diaper changes, pictures, activities, and which guardian picked-up/dropped-off the child—potentially useful features for overcoming separation anxiety of newly enrolled children and their anxious parents. Working at a privacy-oriented organization as we do, we asked questions: Do we have to use these? Are they secure? The answer to the former, unfortunately, was “yes,” partly so that the schools could abide by health guidelines to avoid unnecessary in-person contact. But troublingly, the answer to the second was a resounding “no.”
As is the case with so many of these services, there are a few apps that are more popular than others. While we started with the one we were being asked to use, this prompted us to look closer at the entire industry.
"The (Mostly) Cold Shoulder"
These days, offering two-factor authentication (2FA), where two different methods are used to verify a user’s login, is fairly standard. EFF has frequently asserted that it is one of the easiest ways to increase your security. Therefore, it seemed like a basic first step for daycare apps.
In October 2021, we tried to reach out to one of the most popular daycare services, Brightwheel, about the lack of two-factor authentication on their mobile app. We searched around on the site for an email to report security concerns and issues, but we could not find one.
A few cold emails and a little networking later, we got a meeting. The conversation was productive and we were glad to hear that Brightwheel was rolling out 2FA for all admins and parents. In fact, the company’s announcement claimed they were the “1st partner to offer this level of security” in the industry—an interesting but also potentially worrisome claim.
Was it true? Apparently so. This prompted us to do more outreach to other popular daycare apps. In April 2022, we reached out to the VP of Engineering at another popular app, HiMama (no response). Next we emailed HiMama’s support email about 2FA, and received a prompt but unpromising response that our feature request would be sent to the product team for support. So we dug in further.
Digging Further—And a History of Cold Shoulders
Looking at a number of popular daycare and early education apps, we quickly found more issues than just the lack of 2FA. Through static and dynamic analysis of several apps, we uncovered not just security issues but privacy-compromising features as well. Issues like weak password policies, Facebook tracking, cleartext traffic enabled, and vectors for malicious apps to view sensitive data.
As a note on investigative tools and methodology: we used MobSF and apktool for static analysis of application code and mitmproxy, Frida, and adb (Android Debug Bridge) for dynamic analysis to capture network traffic and app behavior.
Initially, we had inferred that many of these services would be unaware of their issues, and we planned to disclose any vulnerabilities to each company. However, we discovered that not only were we not alone in wondering about the security of these apps, but that we weren’t alone in receiving little to no response from the companies.
In March 2022, a group of academic & security researchers from the AWARE7 agency, Institute for Internet Security, Max Planck Institute for Security and Privacy, and Ruhr University Bochum presented a paper to the PET (Privacy Enhancing Technologies) Symposium in Sydney, Australia. They described the lack of response their own disclosures met:
“Precisely because children's data is at stake and the response in the disclosure process was little (6 out of 42 vendors (±14%) responded to our disclosure), we hope our work will draw attention to this sensitive issue. Daycare center managers, daycare providers, and parents cannot analyze such apps themselves, but they have to help decide which app to introduce."
In fact, the researchers made vulnerability disclosures to many of the same applications we were researching in November 2021. Despite the knowledge that children’s data was at stake, security controls still hadn’t been pushed to the top of the agenda in this industry. Privacy issues remained as well. For example, The Tadpoles Android app (v12.1.5) sends event-based app activity to Facebook's Graph API. As well as very extensive device information to Branch.io.
